EBS Volume is not Encrypted

Overview

Elastic Block Store (EBS) volumes can be configured to be encrypted by default, proving encryption at rest and in transit.

Customer Master Keys (CMKs) are used to perform EBS volume encryption. The CMK can be either AWS-managed (default) or customer-managed.

If you rely on an AWS-managed CMK, you do not have to create the key or manage policies related to the key, and any user with EC2 permission can encrypt and decrypt EBS resources.

If your default KMS key is a Customer-managed CMK, that will be used for encrypting EBS volumes and snapshots.

If EBS volume encryption by default was not consistently enabled, your environment may contain unencrypted EBS volumes, and you may decide to encrypt them.

Multiple steps are needed to encrypt unencrypted EBS volumes, and these steps are best performed individually to verify success.

To encrypt existing EBS volumes, first create a snapshot, make a copy of that snapshot with encryption, and then create a volume from the encrypted snapshot.

Note:

To create a snapshot for EBS volumes that act as root devices, stop the instance before taking the snapshot.
User-defined tags on EBS volumes are not copied to new snapshots.
Creating an EBS volume snapshot with different encryption creates a non-incremental copy, and may result in increased S3 storage costs. After verifying success, consider deleting intermediate snapshots.
Some legacy EC2 instance types do not support encrypted EBS volumes: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances.

Vendor

AWS

Cloud Service

EC2

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-3

Severity

Item Types

AWS::EC2::Volume

Overview​

Vendor​

Cloud Service​

References​

Severity​

Item Types​